I think it would be impossible or extremely difficult for any individual
or group of individuals to write a web application without
vulnerabilities just by their know ledge alone. When ever I audit a web
application, I test to see if the agency performs web application scans
as part of their development cycle (prior to moving a web application
into production). If they do not, I make a formal recommendation that
they do. The state of Maryland's Department of Budget and Management's
Systems Development Life Cycle requires agencies to scan applications
for vulnerabilities (see excerpt below).
Al S.
Excerpt: Systems Development Life Cycle (SDLC) - Volume 2, SDLC Phases,
Dated July 2002
Source: Maryland Department of Budget and Management
INTEGRATION AND TEST PHASE
1.0 OBJECTIVE
The objective of this phase is to prove that the developed system
satisfies the requirements defined in the FRD. Another purpose is to
perform an integrated system test function as specified by the design
parameters. This function shall be the responsibility of the system
testers and will be heavily supported by the user participants.
Prerequisites of this phase are the FRD, project management plan and
schedule, system baseline software and documents, and a test plan
containing all test requirements and schedules.
Several types of tests will be conducted in this phase. First, subsystem
integration tests shall be executed and evaluated by the development
team to prove that the program components integrate properly into the
subsystems and that the subsystems integrate properly into an
application. Next, the testing team conducts and evaluates system tests
to ensure the developed system meets all technical requirements,
including performance requirements. Next, the testing team and the
Security Program Manager conduct security tests to validate that the
access and data security requirements are met. Finally, users
participate in acceptance testing to confirm that the developed system
meets all user requirements as stated in the FRD. Acceptance testing
shall be done in a simulated "real" user environment with the users
using simulated or real target platforms and infrastructures.
2.3 Conduct Security Testing
The test and evaluation team will again create or load the test
database(s) and execute security (penetration) test(s). All tests will
be documented, similar to those above. Failed components will be
migrated back to the development phase for rework, and passed components
will be migrated ahead for acceptance testing.
-----Original Message-----
From: Dennis Hurst [mailto:dhurst at spidynamics.com]
Sent: Monday, July 17, 2006 3:41 PM
To: websecurity at webappsec.org
Subject: RE: [WEB SECURITY] application attacks
I'm new to the list so please pardon if I'm repeating something other
people have mentioned.
After being a developer for a long time and talking to developers about
security every day it seems that we (security people) miss a point very
often. Even in an ideal world where developers knew what SQL Injection,
et al, are and know how to code against them you are still going to have
issues. Web app security issues are frequently just bugs that have a
security aspect. They are simple mistakes that people make when they
get in a rush. I think this will always be the case which is why
testing for security issues is critical. Just like people test for
functional issues we need to test for security issues. No one says
"who's wrong?" when they find a simple bug, they just know that
development is a bug prone process and know that the process needs to
support stable software. It seems to me that blame does not do any good
but improving the process of developing secure software a huge value.
Dennis Hurst
dhurst at spidynamics.com
Microsoft Developer Security - MVP
-----Original Message-----
From: AF [mailto:newsalaksa at nxtg.net]
Sent: Monday, July 17, 2006 3:26 PM
To: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] application attacks
Hi there!
I think the mistake is in this sentence:
> Now, every developer know how to
> protect their web applications against application attacks such as SQL
> Injection,XSS, HTTP smuggling, and others. So could someone give me
some
> clear image about that. What's wrong?
The question is "Who's wrong ?"
The answer is : You. : )
That's a fact: many web developpers still don't know how to implement
security
principles. Many don't even know security principles exist!
So when it comes to sql injection, xss, splitting, applogic, and so
on... well... there's
still a lot of work ahead of us to do. This applies to almost every
industry!
Pentesting, for fun, but also teaching and spreading the information
around us,
as much as we can. That's it. That's what we can (have to?) do.
@ntoine
------------------------------------------------------------------------
----
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
------------------------------------------------------------------------
----
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20060717/1d303b64/attachment.html>